Ubuntu
selinux package

hipl and selinux

Bug #592160 reported by Miika Komu
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
HIPL
New
Wishlist
Unassigned
selinux (Ubuntu)
New
Undecided
Unassigned

Bug Description

Figure out how to configure selinux to work with hipl.

---

I have SELINUX=enforcing, SELINUXTYPE=targeted on stargazer and it works.
2.6.27.5-41.fc9.i686 kernel

---

How did you configure it?

---

hipd_init calls system("ifconfig dummy0 mtu"), but selinux does not allow its
operations:

type=1400 audit(1229087479.615:28): avc: denied { read write } for pid=2462
comm="ifconfig" path="/var/lock/hipd.lock" dev=dm-1 ino=483418
scontext=unconfined_u:system_r:ifconfig_t:s0
tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file

type=1400 audit(1229087479.615:29): avc: denied { read write } for pid=2462
comm="ifconfig" path="socket:[64091]" dev=sockfs ino=64091
scontext=unconfined_u:system_r:ifconfig_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=netlink_route_socket

type=1400 audit(1229087479.615:30): avc: denied { read write } for pid=2462
comm="ifconfig" path="socket:[64092]" dev=sockfs ino=64092
scontext=unconfined_u:system_r:ifconfig_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=netlink_xfrm_socket

type=1400 audit(1229087479.615:31): avc: denied { read write } for pid=2462
comm="ifconfig" path="socket:[64093]" dev=sockfs ino=64093
scontext=unconfined_u:system_r:ifconfig_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=rawip_socket

type=1400 audit(1229087479.615:32): avc: denied { read write } for pid=2462
comm="ifconfig" path="socket:[64094]" dev=sockfs ino=64094
scontext=unconfined_u:system_r:ifconfig_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=rawip_socket

type=1400 audit(1229087479.615:33): avc: denied { read write } for pid=2462
comm="ifconfig" path="socket:[64096]" dev=sockfs ino=64096
scontext=unconfined_u:system_r:ifconfig_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=udp_socket

type=1400 audit(1229087479.615:34): avc: denied { read write } for pid=2462
comm="ifconfig" path="socket:[64098]" dev=sockfs ino=64098
scontext=unconfined_u:system_r:ifconfig_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=rawip_socket

---

Is it enough to allow dummy0 in selinux?

---

policy like this should help, but it does not look very correct.

allow ifconfig_t initrc_t:netlink_route_socket { read write };
allow ifconfig_t initrc_t:netlink_xfrm_socket { read write };
allow ifconfig_t initrc_t:rawip_socket { read write };
allow ifconfig_t initrc_t:udp_socket { read write };
allow ifconfig_t var_lock_t:file { read write };

---

It is even worse, I get "SELinux: failure in selinux_parse_skb(), unable to
parse packet" with ping6 2001:1c:9d:1d34:7d57:bd54:1d10:a393 (halko), but not
2001:1c:cbae:47ae:2871:f9c:eb94:c8e3 (ashenvale),
2001:1e:574e:2505:264a:b360:d8cc:1d75 (stargazer),
2001:14:766e:fbee:f74d:ec73:d6c5:28c0 (hipserver)

So normally "it works", but fails on some HITs.

[root@aeris ~]# ping6 -c1 2001:14:766e:fbee:f74d:ec73:d6c5:28c0
PING
2001:14:766e:fbee:f74d:ec73:d6c5:28c0(2001:14:766e:fbee:f74d:ec73:d6c5:28c0) 56
data bytes
64 bytes from 2001:14:766e:fbee:f74d:ec73:d6c5:28c0: icmp_seq=1 ttl=64
time=0.316 ms

--- 2001:14:766e:fbee:f74d:ec73:d6c5:28c0 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.316/0.316/0.316/0.000 ms
[root@aeris ~]# ping6 -c1 2001:1e:574e:2505:264a:b360:d8cc:1d75
PING
2001:1e:574e:2505:264a:b360:d8cc:1d75(2001:1e:574e:2505:264a:b360:d8cc:1d75) 56
data bytes
64 bytes from 2001:1e:574e:2505:264a:b360:d8cc:1d75: icmp_seq=1 ttl=64
time=0.355 ms

--- 2001:1e:574e:2505:264a:b360:d8cc:1d75 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.355/0.355/0.355/0.000 ms
[root@aeris ~]# ping6 -c1 2001:1c:cbae:47ae:2871:f9c:eb94:c8e3
PING 2001:1c:cbae:47ae:2871:f9c:eb94:c8e3(2001:1c:cbae:47ae:2871:f9c:eb94:c8e3)
56 data bytes
64 bytes from 2001:1c:cbae:47ae:2871:f9c:eb94:c8e3: icmp_seq=1 ttl=64
time=0.351 ms

--- 2001:1c:cbae:47ae:2871:f9c:eb94:c8e3 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.351/0.351/0.351/0.000 ms
[root@aeris ~]# ping6 -c1 2001:1c:9d:1d34:7d57:bd54:1d10:a393
PING 2001:1c:9d:1d34:7d57:bd54:1d10:a393(2001:1c:9d:1d34:7d57:bd54:1d10:a393)
56 data bytes
ping: sendmsg: Operation not permitted
^C
--- 2001:1c:9d:1d34:7d57:bd54:1d10:a393 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 547ms
HA is ESTABLISHED
 Local HIT: 2001:001a:2a72:f01c:d98e:311c:c76a:57c4
 Peer HIT: 2001:0014:766e:fbee:f74d:ec73:d6c5:28c0
 Local LSI: 1.0.0.1
 Peer LSI: 1.0.0.7
 Local IP: 2001:0708:0140:0220:0000:0000:0000:0016
 Peer IP: 2001:0708:0140:0220:0211:11ff:fe84:b791
 Peer hostname: hipserver.infrahip.net

HA is ESTABLISHED
 Local HIT: 2001:001a:2a72:f01c:d98e:311c:c76a:57c4
 Peer HIT: 2001:001a:2a72:f01c:d98e:311c:c76a:57c4
 Local LSI: 1.0.0.1
 Peer LSI: 1.0.0.2
 Local IP: 0000:0000:0000:0000:0000:0000:0000:0001
 Peer IP: 0000:0000:0000:0000:0000:0000:0000:0001
 Peer hostname: aeris.infrahip.net

HA is ESTABLISHED
 Local HIT: 2001:001a:2a72:f01c:d98e:311c:c76a:57c4
 Peer HIT: 2001:001e:574e:2505:264a:b360:d8cc:1d75
 Local LSI: 1.0.0.1
 Peer LSI: 1.0.0.3
 Local IP: 2001:0708:0140:0220:0000:0000:0000:0016
 Peer IP: 2001:0708:0140:0220:0215:60ff:fe9f:60c4
 Peer hostname:

HA is ESTABLISHED
 Local HIT: 2001:001a:2a72:f01c:d98e:311c:c76a:57c4
 Peer HIT: 2001:001c:cbae:47ae:2871:0f9c:eb94:c8e3
 Local LSI: 1.0.0.1
 Peer LSI: 1.0.0.6
 Local IP: 2001:0708:0140:0220:0000:0000:0000:0016
 Peer IP: 2001:0708:0140:0220:0000:0000:0000:0555
 Peer hostname: ashenvale.infrahip.net

HA is ESTABLISHED
 Local HIT: 2001:001a:2a72:f01c:d98e:311c:c76a:57c4
 Peer HIT: 2001:001e:359d:5b5f:77fb:19b1:eb03:aa3e
 Local LSI: 1.0.0.1
 Peer LSI: 1.0.0.4
 Local IP: 2001:0708:0140:0220:0000:0000:0000:0016
 Peer IP: 2001:0708:0140:0220:0213:e8ff:fe82:7341
 Peer hostname:

HA is ESTABLISHED
 Local HIT: 2001:001a:2a72:f01c:d98e:311c:c76a:57c4
 Peer HIT: 2001:001c:009d:1d34:7d57:bd54:1d10:a393
 Local LSI: 1.0.0.1
 Peer LSI: 1.0.0.5
 Local IP: 193.167.187.149
 Peer IP: 193.167.187.26
 Peer hostname:

---
From Samu:

Network Labeling: IPSEC/xfrm
• Implicit packet labeling via IPSEC/xfrm.
• Security context stored in xfrm policy rules and states.
• Authorize socket's use of policy based on context.
• Build SAs with context of policy.
• Included in Linux 2.6.16.
• TCP SO_PEERSEC support, UDP SCM_SECURITY
  support added in Linux 2.6.17.

---

From Samu:

http://www.linuxtopia.org/online_books/redhat_selinux_guide/rhlcommon-section-0104.html

---

If you manage to get SElinux to work, please include a new section to the
manual on this and document the exact steps on how to make it work. You can
commit directly to the userspace branch,

Samu has a book on SElinux which he promised to bring tomorrow to HIIT, but
there should be plenty of material available in the net.

Revision history for this message
René Hummen (rene-hummen) wrote :

What's the status of this bug?

Revision history for this message
Miika Komu (miika-iki) wrote :

No progress, still open.

René Hummen (rene-hummen)
Changed in hipl:
importance: Undecided → Wishlist
Revision history for this message
Miika Komu (miika-iki) wrote :

From Robert:

First off I was given a sample script:

setenforce 0 # drop to permissive
load_policy # create reset point to assist in isolation of avcs
# go through all motions to trigger all actions that need to be allowed
audit2allow -M $module_name -l -i /var/log/audit/audit.log # build module
setenforce 1 # restore enforcing
less $module_name.te # inspect the module, salt to taste
semodule -v -i $module_name.pp # load it

use /var/log/message instead of audit.log if you have not configured audit.

Another example he shared with me is:

grep vsftpd /var/log/audit/audit.log | \
   audit2allow -M vsftpd
semodule -i vsftpd.pp
vi vsftpd.te
checkmodule -M -m -o vsftpd.mod vsftpd.te
semodule_package -o vsftpd.pp -m vsftpd.mod
semodule -i vsftpd.pp

Finally:

sesearch -A -s httpd_t -C
WIll show you all the allow rules for the apache service.

So, I will be using this to secure my new mail server (postfix/mysql/dovecot/roundcube) that will hopefully be running HIP as well. Challenge will be this is running a bind 9.8 caching server to speed up mail handling.

Now here is what I did to get HIPL and selinux to SEEM to live together:

setenforce 0
load_policy
service hipfw start
audit2allow -M hipfw -l -i /var/log/messages
semodule -v -i hipfw.pp
service hipd start
audit2allow -M hipd -l -i /var/log/messages
semodule -v -i hipd.pp

I have been told that DON'T try to move .pp files between OS versions, though maybe .tt files can be used wqith checkmodule to build an OS specific .pp to load.

No avc messages so far, but there are some errors in the log.

Another issue I encountered:

Matt Heard (f-matt-deactivatedaccount)
affects: ubuntu → selinux (Ubuntu)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.